PHP confirmation page

  • chibuki
  • Novice
  • Novice
  • chibuki
  • Posts: 22

Post 3+ Months Ago

I've never done a Conformation Page before. Usually I just make the answers submit to the database right away, but now I want it to be in a confirmation page first and then place the answers to the database.

This is basically the demo version of what I have: Clicky
Note that when you click the Confirm button, it doesn't actually submit.

I can pass the value to the confirmation page successfully, but I'm confused on how to send the answers to the database from there. Here's the code I have right now: Clicky

In my database, I have these fields for the "SurveyTest" table:
Username - varchar(24)
q01 - varchar(10)
q02 - varchar(10)

How do you use the _POST method to send it to the database in the confirmation page?
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8416
  • Loc: USA

Post 3+ Months Ago

In your confirmation page, save the information into a hidden field, and the Continue would be the submit button for those HIDDEN fields.
  • chibuki
  • Novice
  • Novice
  • chibuki
  • Posts: 22

Post 3+ Months Ago

Like this? Weird, it still won't submit to the database
Am I doing the PHP correctly in the code link above?

Code: [ Select ]
<body>
<h1>Your answers...</h1>
<form id="confirmform" name="confirmform" method="post" action="surveytest.php">
    <p>Gender: <input type="hidden" name="q01" id="q01" value="<?php echo $sq01 ?>" /><?php echo $sq01 ?><br />
    Hair color: <input type="hidden" name="q02" id="q02" value="<?php echo $sq02 ?>" /><?php echo $sq02 ?><br />
    Your name: <input type="hidden" name="username" id="username" value="<?php echo $sUsername ?>" /><?php echo $sUsername ?><br />
    </p>
    <input type="hidden" name="action" id="action" value="add" />
    <input type="submit" name="Submit" value="Continue" />
</form>
</body>
  1. <body>
  2. <h1>Your answers...</h1>
  3. <form id="confirmform" name="confirmform" method="post" action="surveytest.php">
  4.     <p>Gender: <input type="hidden" name="q01" id="q01" value="<?php echo $sq01 ?>" /><?php echo $sq01 ?><br />
  5.     Hair color: <input type="hidden" name="q02" id="q02" value="<?php echo $sq02 ?>" /><?php echo $sq02 ?><br />
  6.     Your name: <input type="hidden" name="username" id="username" value="<?php echo $sUsername ?>" /><?php echo $sUsername ?><br />
  7.     </p>
  8.     <input type="hidden" name="action" id="action" value="add" />
  9.     <input type="submit" name="Submit" value="Continue" />
  10. </form>
  11. </body>
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8416
  • Loc: USA

Post 3+ Months Ago

Did you put correct stuff in the surveytest.php? It works perfectly for me where I use it...

Also, no, you put the hidden fields after you showed the information... it won't show the information to the user... something like the following example:
PHP Code: [ Select ]
<?php
$sUsername = $_POST["username"];
$sq01 = $_POST["q01"];
$sq02 = $_POST["q02"];
 
include("connect.php");
 
if(isset($_POST["action"]))
{
   $sUsername = $_POST["username"];
   $sq01 = $_POST["q01"];
   $sq02 = $_POST["q02"];
   $query = "INSERT INTO SurveyTest (Username, q01, q02)
      VALUES (
         '".$sUsername."',
         '".$sq01."',
         '".$sq02."')";
                 
   //Run query
   $result = mysql_query($query);
   if(!$result)
   {
      die("Could not query the database:<br />". mysql_error());
   } else {
      header("Location: index.php");
   }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Confirm</title>
<style type="text/css">
b {
   font-family:Arial, Helvetica, sans-serif;
}
</style>
</head>
 
<body>
<h1>Your answers...</h1>
<p>Gender: <?php echo $sq01 ?><br />
Hair color: <?php echo $sq02 ?><br />
Your name: <?php echo $sUsername ?><br />
</p>
<form id="confirmform" name="confirmform" method="post" action="surveytest.php">
   <ins><input type="hidden" name="action" id="action" value="add" />
   <input type="hidden" name="q01" id="q01" value="<?php echo $sq01 ?>" />
   <input type="hidden" name="q02" id="q02" value="<?php echo $sq02 ?>" />
   <input type="hidden" name="username" id="username" value="<?php echo $sUsername ?>" />
   <input type="submit" value="Confirm" /></ins>
</form>
</body>
</html>
 
  1. <?php
  2. $sUsername = $_POST["username"];
  3. $sq01 = $_POST["q01"];
  4. $sq02 = $_POST["q02"];
  5.  
  6. include("connect.php");
  7.  
  8. if(isset($_POST["action"]))
  9. {
  10.    $sUsername = $_POST["username"];
  11.    $sq01 = $_POST["q01"];
  12.    $sq02 = $_POST["q02"];
  13.    $query = "INSERT INTO SurveyTest (Username, q01, q02)
  14.       VALUES (
  15.          '".$sUsername."',
  16.          '".$sq01."',
  17.          '".$sq02."')";
  18.                  
  19.    //Run query
  20.    $result = mysql_query($query);
  21.    if(!$result)
  22.    {
  23.       die("Could not query the database:<br />". mysql_error());
  24.    } else {
  25.       header("Location: index.php");
  26.    }
  27. }
  28. ?>
  29. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  30. <html xmlns="http://www.w3.org/1999/xhtml">
  31. <head>
  32. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  33. <title>Confirm</title>
  34. <style type="text/css">
  35. b {
  36.    font-family:Arial, Helvetica, sans-serif;
  37. }
  38. </style>
  39. </head>
  40.  
  41. <body>
  42. <h1>Your answers...</h1>
  43. <p>Gender: <?php echo $sq01 ?><br />
  44. Hair color: <?php echo $sq02 ?><br />
  45. Your name: <?php echo $sUsername ?><br />
  46. </p>
  47. <form id="confirmform" name="confirmform" method="post" action="surveytest.php">
  48.    <ins><input type="hidden" name="action" id="action" value="add" />
  49.    <input type="hidden" name="q01" id="q01" value="<?php echo $sq01 ?>" />
  50.    <input type="hidden" name="q02" id="q02" value="<?php echo $sq02 ?>" />
  51.    <input type="hidden" name="username" id="username" value="<?php echo $sUsername ?>" />
  52.    <input type="submit" value="Confirm" /></ins>
  53. </form>
  54. </body>
  55. </html>
  56.  

Something like that...

Another workaround is saving the $_POST to a SESSION and then where you want it to be save the SESSION to $_POST...
confirm.php
PHP Code: [ Select ]
 
$_SESSION['POST'] = $_POST;
 
  1.  
  2. $_SESSION['POST'] = $_POST;
  3.  

surveytest.php
PHP Code: [ Select ]
 
$_POST = $_SESSION['POST'];
// on and on and on
 
  1.  
  2. $_POST = $_SESSION['POST'];
  3. // on and on and on
  4.  

I think that should work if you can't figure out the hidden field thing...
  • dark_lord
  • Graduate
  • Graduate
  • User avatar
  • Posts: 162
  • Loc: India-Kolkata

Post 3+ Months Ago

well chibuki, i think bogey gave all the methods.

if you have to pass the parameters through one page, then it's better to use hidden input types.

You can use session // cookies much better though if those are sensitive infos.

cos hidden type fields can easily be exploited by an (advance type :D) user.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8416
  • Loc: USA

Post 3+ Months Ago

The hidden fields are viewable only through the Source, they are unique for every user as every user fills out his or her own information, and it isn't a security threat as a person seeing the information he or she put in a few minutes ago wouldn't be a threat.

But then, I may not be an advanced user... what where you thinking of when you said "exploited"?
  • dark_lord
  • Graduate
  • Graduate
  • User avatar
  • Posts: 162
  • Loc: India-Kolkata

Post 3+ Months Ago

hmmm

eg like you have a website and you want to allow user name (eg. bogey1234) containing only alphabets and numbers(no other special characters including dashes and others)

so you submit the registration page and the parameter is passed to confirmation page as said above, there you check for any other special characters including dashes etc

and finally when everything is ok, you are ready to pass the hidden type fields(which contains user name bogey1234) to the other page where it will get saved to database.

Now an advance type user will change that hidden type field value (bogey1234 to something like bogey_1234) and then submit his/her user name including those special characters.

It is not harmful though, but there are other kinda threats which i can't say in open forums :P
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8416
  • Loc: USA

Post 3+ Months Ago

How could an advanced user change the value? It's viewable only through the source as far as I know... how is that possible?
  • dark_lord
  • Graduate
  • Graduate
  • User avatar
  • Posts: 162
  • Loc: India-Kolkata

Post 3+ Months Ago

eh that's easy

download the file(as html) on your computer and then go to source and change the value of the hidden fields and save the local file (as html)

and then submit it, with the values you desire

i bet, you became advance today :D
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8416
  • Loc: USA

Post 3+ Months Ago

That could be so, but programmers usually check if the values submitted are the desired ones right before they put them into the database... that's one of the security measures most programmers take.
  • dark_lord
  • Graduate
  • Graduate
  • User avatar
  • Posts: 162
  • Loc: India-Kolkata

Post 3+ Months Ago

Well i agree with you

but you didn't get my point, the things (or logic) you checked on confirmation page for the user name, you have to check those again on the page you are submitting.

That's why i said, if they r not sensitive, one can use hidden fields

Peace :)
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8416
  • Loc: USA

Post 3+ Months Ago

I got what you were saying in my latest post (Before this one), I just continued on the argument... :)
  • chibuki
  • Novice
  • Novice
  • chibuki
  • Posts: 22

Post 3+ Months Ago

Thanks for all the help! I'll keep in mind about the hidden field being exploited.

Looks like I encounter a weird problem though... I got it working once. I saw the data in my database, but then I went ahead to Empty my table to start over. After the list emptied, for some reason it won't drop the answers to my table again.

Do I need PHP in at surveytest.php? Because I put everything at confirmation.php

Or maybe I did something wrong with my mySQL?

This is my surveytest.php code and this is my confirmation.php code right now.

Sorry if I'm not clear about something.
  • dark_lord
  • Graduate
  • Graduate
  • User avatar
  • Posts: 162
  • Loc: India-Kolkata

Post 3+ Months Ago

probably action is not set/initialized with anything in confirmation.php

Code: [ Select ]
if(isset($_POST["action"]))


In surveytest.php Locate
Code: [ Select ]
 
<form id="quizform" name="quizform" method="post" action="confirmation.php">
....
...
  1.  
  2. <form id="quizform" name="quizform" method="post" action="confirmation.php">
  3. ....
  4. ...

and
put this line inside the form
Code: [ Select ]
<input type="hidden" name="action" value="set" />


I hope that will do and if you get database error
Could not query the database
use this query
Code: [ Select ]
 
OPTIMIZE TABLE SurveyTest;
 
  1.  
  2. OPTIMIZE TABLE SurveyTest;
  3.  

in phpmyadmin

Quote:
Do I need PHP in at surveytest.php?

You wanted to mean to make the page type as PHP or HTML?
At this point, I think you don't need to make the page type as php there, html will do!
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8416
  • Loc: USA

Post 3+ Months Ago

dark_lord wrote:
probably action is not set/initialized with anything in confirmation.php
Code: [ Select ]
 if(isset($_POST["action"]))

In surveytest.php Locate
Code: [ Select ]
<form id="quizform" name="quizform" method="post" action="confirmation.php">
....
...
  1. <form id="quizform" name="quizform" method="post" action="confirmation.php">
  2. ....
  3. ...

and put this line inside the form
Code: [ Select ]
<input type="hidden" name="action" value="set" />

That is unnecessary... Change the following:
Code: [ Select ]
<input type="submit" name="button" id="button" value="Submit" />

to
Code: [ Select ]
<input type="submit" name="action" id="button" value="Submit" />
  • chibuki
  • Novice
  • Novice
  • chibuki
  • Posts: 22

Post 3+ Months Ago

If it do that at surveytest.php, won't the data submit before it even passed to confirmation.php?
  • dark_lord
  • Graduate
  • Graduate
  • User avatar
  • Posts: 162
  • Loc: India-Kolkata

Post 3+ Months Ago

Bogey wrote:
That is unnecessary... Change the following:
Code: [ Select ]
<input type="submit" name="button" id="button" value="Submit" />

to
Code: [ Select ]
<input type="submit" name="action" id="button" value="Submit" />


That is unnecessary... Change the following:
Code: [ Select ]
 
if(isset($_POST["action"]))
 
  1.  
  2. if(isset($_POST["action"]))
  3.  

to
Code: [ Select ]
 
if(isset($_POST["username"]))
 
  1.  
  2. if(isset($_POST["username"]))
  3.  


:D hehe
  • dark_lord
  • Graduate
  • Graduate
  • User avatar
  • Posts: 162
  • Loc: India-Kolkata

Post 3+ Months Ago

chibuki wrote:
If it do that at surveytest.php, won't the data submit before it even passed to confirmation.php?



sorry didn't understand anything. You need to be more descriptive.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8416
  • Loc: USA

Post 3+ Months Ago

dark_lord wrote:
Bogey wrote:
That is unnecessary... Change the following:
Code: [ Select ]
<input type="submit" name="button" id="button" value="Submit" />

to
Code: [ Select ]
<input type="submit" name="action" id="button" value="Submit" />

That is unnecessary... Change the following:
Code: [ Select ]
if(isset($_POST["action"]))

to
Code: [ Select ]
if(isset($_POST["username"]))

:D hehe

It doesn't make a difference which the way you do it. You can put any field name into the isset($_POST['field_name'] thing.

The reason I made him change the button to action was because he was checking if that was submitted (or set in other words), but really, it doesn't matter.
chibuki wrote:
If it do that at surveytest.php, won't the data submit before it even passed to confirmation.php?

If you do what at surveytest.php?
  • chibuki
  • Novice
  • Novice
  • chibuki
  • Posts: 22

Post 3+ Months Ago

surveytest.php:
Code: [ Select ]
<input type="submit" name="action" id="button" value="Submit" />


So I did just that here, and the answers actually gets stored into the database, but I'm getting a "page not found" error.

I think I understand the way you guys shown me but I keep running into errors. :(

Also sorry, but if I change the submit button's name="action" at surveytest.php, the data gets stored to the database before it even make it to confirmation.php, does it not?
  • dark_lord
  • Graduate
  • Graduate
  • User avatar
  • Posts: 162
  • Loc: India-Kolkata

Post 3+ Months Ago

ctrl+c @bogey :D

@chibuki

you don't have the confirmation.php file under that test folder, that's why you are getting that 404 error

and in the earlier code (which u shown), it's clear that those info's are getting stored in database and then it's making to confirmation.php page

Post Information

  • Total Posts in this topic: 21 posts
  • Users browsing this forum: No registered users and 80 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.